Hackers Impersonate Amnesty International to Spread Malware

Cyberwarfare / Nation-State Attacks
Fraud Management & Cybercrime

Sarwent Malware Can Execute Remote Tasks

Hackers Impersonate Amnesty International to Spread Malware
Fake Amnesty International Site. Source: Cisco Talos

Fraudsters are impersonating Amnesty International by building a fake site to distribute malware purporting to be an anti-virus tool to protect against the NSO Group’s Pegasus tool, according to researchers at Cisco Talos.

See Also: Marching Orders: Understanding and Meeting the Biden Administration’s New Cybersecurity Standards

Cisco Talos researchers discovered that the threat actors – instead of delivering a real anti-virus tool – send a fake that actually downloads and installs the Sarwent malware, which contains the usual abilities of a remote access tool, serving as a backdoor on the victim machine.

The malware has several means of executing remote tasks, including remote desktop protocol and Virtual Network Computing, despite the malware having shell and PowerShell execution capabilities.

“We believe this campaign has the potential to infect many users given the recent spotlight on the Pegasus spyware,” researchers note. “In addition to Amnesty International’s report, Apple also had to recently release a security update for iOS that patched a vulnerability attackers were exploiting to install Pegasus. Many users may be searching for protection against this threat at this time.” (see: Apple Fixes Zero-Day Flaws Used to Target Activist).

Amnesty International recently released a ground…